b"           Smithsonian Institution\n           Office of the Inspector General\n\n\n          In Brief                   Smithsonian Institution Information Security Program\n                                     Report Number A-11-05, May 15, 2012\n\n                                                                                                                 \xef\x80\xa0\xef\x80\xa0\xef\x80\xa0\n\n\nWhy We Did This Audit               What We Found\n\nThe Federal Information             We determined that during the past year, the Office of the Chief\nSecurity Management Act of          Information Officer (OCIO) made improvements to strengthen the\n2002 (FISMA) directs the            information security program, including proactively reviewing security\nOffice of the Inspector General     controls and identifying areas to enhance the program. As part of its\nto annually evaluate the            ongoing security program, the Smithsonian periodically performs network\ninformation security program        and system scans and annually provides security assessments and/or\nof the entity. The Smithsonian      authorizations for all major systems, consistent with NIST guidance.\nvoluntarily complies with\nFISMA requirements because it       However, additional work is still needed to ensure controls are in place and\nis consistent with its strategic    operating effectively. We found weaknesses in four areas where OCIO did\ngoals. We hired an                  not do the following:\nindependent auditor to\nconduct this review on our             \xef\x82\xb7\t Maintain evidence that software changes were tested and approved\nbehalf.                                   before the changes were implemented;\nBackground                             \xef\x82\xb7\t Provide timely updates to its Technical Security Notes, hence the\n                                          units did not always adhere to the employee separation process\nThe goal of information                   concerning the disabling or termination of user accounts;\nsecurity is to build a defensible\nenterprise that enables\norganizations to harness               \xef\x82\xb7\t Enforce the requirement that units submit quarterly monitoring\ntechnological innovation, while           reports; and\nprotecting an organization\xe2\x80\x99s\ninformation and information            \xef\x82\xb7\t Implement security patches in a timely manner.\nsystems.\n                                    We also noted that OCIO has not completed addressing 12 information\nFISMA requires organizations        security recommendations from previous reports. By not implementing\nto adopt a risk-based, life cycle   these recommendations, the Smithsonian\xe2\x80\x99s IT infrastructure and systems\napproach to improving               may be more vulnerable to unauthorized modifications and access, as well\ninformation security that           as the unavailability of important resources.\nincludes annual security\nprogram reviews, independent        What We Recommended\nevaluations by the Office of the\nInspector General, and              We made nine recommendations to strengthen configuration change\nreporting to the Office of          controls; improve user account management; enforce requirements for\nManagement and Budget               continuous monitoring reports; and strengthen patch management and\n(OMB) and the Congress.             flaw remediation.\nFISMA, OMB and the National\nInstitute of Standards and          Management concurred with our findings and recommendations and has\nTechnology (NIST) also              proposed corrective actions that, if timely implemented, will resolve the\nidentify security requirements      recommendations.\nfor federal information security\nprograms.                           For additional information, contact the Office of the Inspector General at\n                                    (202) 633-7050 or visit http://www.si.edu/oig.\n\x0c  SMITHSONIAN INSTITUTION\n\n\nFEDERAL INFORMATION SECURITY \n\n   MANAGEMENT ACT (FISMA) \n\n\n2011 INDEPENDENT EVALUATION\n\n           REPORT \n\n\x0cThis page intentionally left blank\n\x0c                                  REPORT ON FISCAL YEAR 2011\n\n                        Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                                    Information Security Program \n\n\n\n                                              TABLE OF CONTENTS\n\n\n\nPURPOSE....................................................................................................................... 1 \n\n\nBACKGROUND .............................................................................................................. 1 \n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY ............................................................. 2 \n\n\nDETAIL OF RESULTS .................................................................................................... 3 \n\n\n    I. \t Configuration Change Control Needs to Be Strengthened ................................... 4 \n\n    II. User Account Management Needs Improvement ................................................. 6 \n\n    III. Smithsonian Units are not Consistently Submitting Quarterly Monitoring \n\n         and POA&M Reports ............................................................................................ 8 \n\n    IV. \tPatch Management / Flaw Remediation Controls Need to be Strengthened for \n\n         Servers and Desktop Workstations ...................................................................... 9 \n\n\nSTATUS OF PRIOR YEARS FINDINGS AND RECOMMENDATIONS ........................ 11 \n\n\nMANAGEMENT RESPONSE ........................................................................................ 17 \n\n\x0cThis page intentionally left blank\n\x0c                            REPORT ON FISCAL YEAR 2011\n\n                  Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                              Information Security Program \n\n\nOn behalf of the Office of the Inspector General (OIG), CliftonLarsonAllen (CLA) conducted an\nindependent evaluation of the Smithsonian\xe2\x80\x99s information security management program and\npractices consistent with Title III of the 2002 E-Government Act, also known as the Federal\nInformation Security Management Act (FISMA).\n\nPURPOSE\n\nThe E-Government Act of 2002 (Pub. L. No. 107-347), which includes Title III, the Federal\nInformation Security Management Act of 2002 (FISMA), was enacted to strengthen the security\nof federal government information systems.\n\nThe Smithsonian is not subject to the E-Government Act of 2002, nor is subject to the OMB\nguidelines implementing the Act and the E-Government Act Section 208 guidance as it relates\nto the Privacy Act of 1974. However, it is the Smithsonian\xe2\x80\x99s practice to secure its information\nconsistent with the available resources and provisions of the two statutes as well as OMB\nguidelines.\n\nFISMA outlines federal information security compliance criteria, including the requirement for an\nannual independent assessment by the Inspector General. This report presents the results of\nthe Smithsonian\xe2\x80\x99s Office of the Inspector General (OIG) annual evaluation of the information\nsecurity controls implemented by the Smithsonian, based on the work performed by\nCliftonLarsonAllen LLP.\n\nThe privacy provisions of the E-Government Act require federal organizations to ensure\nsufficient protections for the privacy of personal information as federal organizations implement\ncitizen-centered electronic Government. Federal organizations are directed to conduct reviews\nof how information about individuals is handled within their agency when they use information\ntechnology (IT) to collect new information, or when federal organizations develop or buy new IT\nsystems to handle collections of personally identifiable information. Federal organizations are\nalso directed to describe how the government handles information that individuals provide\nelectronically, so that the American public has assurances that personal information is\nprotected.\n\nBACKGROUND\n\nThe goal of information security is to build a defensible enterprise that enables organizations to\nharness technological innovation, while protecting an organization\xe2\x80\x99s information and information\nsystems. To maximize the timeliness and integrity of security-related information, the collection\nof data should be a by-product of existing continuous monitoring processes.\n\nFISMA requires organizations to adopt a risk-based, life cycle approach to improving\ninformation security that includes annual security program reviews, independent evaluations by\nthe OIG, and reporting to the Office of Management and Budget and the Congress. FISMA,\nOMB and the National Institute of Standards and Technology (NIST) also identify security\nrequirements for federal information security programs. These include:\n\n   \xe2\x80\xa2\t Security assessments conducted as part of an information system security authorization\n      or re-authorization process; and\n   \xe2\x80\xa2\t Continuous monitoring activities, to include testing and evaluating the information\n\n\n                                                1\n\n\x0c                           REPORT ON FISCAL YEAR 2011\n\n                 Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                             Information Security Program \n\n\n       system as part of the ongoing system development life cycle process (provided that the\n       testing and evaluation results are current and relevant to the determination of security\n       control effectiveness).\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of this evaluation were to assess the effectiveness of the Smithsonian\xe2\x80\x99s\ninformation security program and practices and to determine compliance with FISMA\nrequirements and the Smithsonian\xe2\x80\x99s security policies, procedures, standards, and guidelines.\n\nOn behalf of the OIG, CliftonLarsonAllen LLP performed an independent evaluation of the\nSmithsonian\xe2\x80\x99s information security management program. We conducted this evaluation in\naccordance with Government Auditing Standards, July 2007 Revision, as amended,\npromulgated by the Comptroller General of the United States. Those standards require that we\nplan and perform an audit to obtain sufficient, appropriate evidence that provides a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe that the\nevidence we obtained provides a reasonable basis for our findings and conclusions based on\nour objectives.\n\nWe followed a work plan based on the National Institute of Standards and Technology (NIST)\nSpecial Publication (SP) 800-53, Revision 3, Recommended Security Controls for Federal\nInformation Systems; NIST SP 800-37, Guide for the Security Certification and Accreditation of\nFederal Information Systems; NIST SP 800-53A, Revision 1, Guide for Assessing the Security\nControls in Federal Information Systems; NIST Federal Information Processing Standard (FIPS)\n199, Standards for Security Categorization of Federal Information and Information Systems; and\nour general controls review methodology.\n\nOur procedures included performing security reviews of the Smithsonian\xe2\x80\x99s information\ntechnology (IT) infrastructure and major systems, and reviewing the Smithsonian\xe2\x80\x99s Plans of\nAction and Milestones (POA&Ms). We also based our audit on detailed interviews with the\nOffice of the Chief Information Officer\xe2\x80\x99s (OCIO) personnel and major system owners or\nsponsors. CLA developed a three year audit rotation plan in consultation with the OIG to review\nthe Smithsonian\xe2\x80\x99s seventeen major systems. We evaluated the following subset of six major\nsystems in FY 2011, which includes one contractor operated system:\n\n   \xe2\x80\xa2   Web Time & Attendance (WebTA)\n   \xe2\x80\xa2   Smithsonian Tracking and Applicant Referral System (MGS STARS)\n   \xe2\x80\xa2   OFEO Facilities Management System (FMS)\n   \xe2\x80\xa2   Smithsonian Network (SINet)\xe2\x80\x94 the Smithsonian\xe2\x80\x99s general support system\n   \xe2\x80\xa2   Smithsonian Online Academic Appointment System (SOLAA)\n   \xe2\x80\xa2   Art Collection Information System (ARTCIS)\nWe performed these procedures to test (1) the implementation of a Smithsonian-wide security\nprogram, and (2) operational and technical controls specific to each system such as service\ncontinuity, logical access, and change controls. Additionally, we evaluated management\xe2\x80\x99s\nactions completed through September 30, 2011, to address prior years\xe2\x80\x99 recommendations.\n\nWe also evaluated the Smithsonian\xe2\x80\x99s privacy program, interviewed the Senior Privacy Officer\n(SPO) and reviewed prior years\xe2\x80\x99 privacy program recommendations.\n\n\n                                              2\n\n\x0c                            REPORT ON FISCAL YEAR 2011\n\n                  Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                              Information Security Program \n\n\nWe performed our review from October 7, 2011, through November 18, 2011, at Smithsonian\xe2\x80\x99s\nOffice of the Inspector General in Washington, D.C. the Office of the Chief Information Officer at\nthe Smithsonian data center.\n\nSmithsonian\xe2\x80\x99s management and staff were helpful and accommodating throughout this review\nand assisted us in refining the recommendations. This independent evaluation was prepared\nbased on information available as of October 31, 2011.\n\nDETAIL OF RESULTS\n\nOur audit of the Smithsonian\xe2\x80\x99s security management program and practices determined that\nduring the past year, OCIO made improvements to strengthen the information security program,\nincluding proactively reviewing security controls and identifying areas to enhance the program.\nAs part of its ongoing security program, the Smithsonian periodically performs network and\nsystem scans and annually provides security assessments and/or authorizations for all major\nsystems, consistent with NIST's guidance.\n\nHowever, additional work is still needed to ensure controls are in place and operating\neffectively. We found weaknesses in FY 2011 in the following four areas where OCIO did not\ndo the following:\n\n   \xef\x82\xb7\t Maintain evidence that software changes were tested and approved before the changes\n      were implemented;\n\n   \xef\x82\xb7\t Provide timely updates to its Technical Security Notes, hence the units did not always\n      adhere to the employee separation process concerning the disabling or termination of\n      user accounts;\n\n   \xef\x82\xb7\t Enforce the requirement that units submit quarterly monitoring reports; and\n\n   \xef\x82\xb7\t Implement security patches in a timely manner.\n\nManagement concurred with our findings and recommendations and has proposed corrective\nactions that will resolve the recommendations. Management\xe2\x80\x99s full response is attached to this\nreport.\n\nWe also noted that 17 prior years\xe2\x80\x99 information security recommendations were closed in\nFY 2011 and 12 prior years\xe2\x80\x99 information security recommendations directed to OCIO remain\nopen, including four recommendations from the FY 2010 FISMA report. The following is a list of\nsome of the more important open recommendations from prior year reports:\n\n   \xef\x82\xb7\t Re-assess the security categorization for major systems currently categorized as low-\n      impact systems, based on the type of PII stored in the system. The systems should\n      either be re-classified as moderate or the security categorization revised to include\n      adequate justification for classifying the system as low.\n\n   \xef\x82\xb7\t Ensure that all major and minor systems are addressed in system security plans in\n      accordance with OMB and NIST guidelines. OCIO should ensure controls over major\n\n\n                                                3\n\n\x0c                            REPORT ON FISCAL YEAR 2011\n\n                  Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                              Information Security Program \n\n\n       and minor systems are identified, documented, and implemented based on their impact\n       on the Smithsonian or sensitivity of data they process or store.\n\n   \xef\x82\xb7\t Establish procedures to ensure existing policies requiring the use of standard baselines\n      are implemented and enforced.\n\n   \xef\x82\xb7\t Implement controls to ensure that all SI-owned laptops/mobile devices that may be used\n      to store sensitive information are secured with an appropriate encryption technology.\n\nWe also noted that one privacy program recommendation was closed in FY 2011, and 8 prior\nyear privacy program related recommendations remain open from the FY 2008 Privacy Program\nEvaluation report. This FY 2008 report recommended that the Smithsonian develop, document,\nand implement privacy policies and procedures to support an overall privacy program that\nadequately addresses privacy-related risks. Without comprehensive privacy policies and\nprocedures in place, the Smithsonian is at greater risk for inappropriately handling or disclosing\nsensitive PII. In addition, the lack of clear privacy policies or procedures for describing and\ndefining sensitive PII, and how sensitive PII should be handled, greatly increases the likelihood\nthat individuals who come into contact with sensitive PII will handle it inappropriately.\n\nThe Smithsonian needs to make greater progress in implementing important information\nsecurity and privacy recommendations from prior reports.\n\nThe Status of Prior-Years\xe2\x80\x99 Findings and Recommendations table, included in this report,\ndocuments the details for 20 open recommendations. One recommendation is as many as five\nyears old. By not implementing these recommendations the Smithsonian\xe2\x80\x99s IT infrastructure and\nsystems may be more vulnerable to unauthorized modifications and access, as well as the\nunavailability of important resources.\n\nThe Smithsonian continues to make progress on implementing recommendations from previous\nreports, including:\n\n   \xef\x82\xb7\t Updating all major systems security plans and clarifying security assessment\n      boundaries.\n\n   \xef\x82\xb7\t After field work for this audit was completed, OCIO documented, justified, and formally\n      accepted deviations from the Federal Desktop Core Configuration (FDCC) settings.\nThe following is a more detailed discussion of the four new control weaknesses identified above\nthat we found in our FY 2011 FISMA evaluation, as well as recommendations for strengthening\nmanagement controls over the Smithsonian\xe2\x80\x99s information security program. We present our\nfindings in the order of greatest risk to the Smithsonian.\n\nI. \t Configuration Change Control Needs to be Strengthened\n\nControls were not operating effectively to ensure that software changes were tested and\napproved before being migrated into the production environment. The Change Control Board\n(CCB) did not maintain documentation for the testing/approval of software changes.\n\nThe CCB did not have evidence for changes selected for review, including software upgrades,\nfirewall changes, and server replacements. Missing documentation included the following:\n\n                                                4\n\n\x0c                            REPORT ON FISCAL YEAR 2011\n\n                  Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                              Information Security Program \n\n\n\n    \xef\x82\xb7\t None of the eight tickets tested had any evidence that testing was approved; and\n\n    \xef\x82\xb7\t Management has not developed a process to consistently document evidence of testing\n       of changes.\n\nInformation systems are typically in a constant state of change as organizations add new\ncapabilities, correct software flaws, address security threats, and for other valid reasons. To\nensure that these necessary changes do not introduce new vulnerabilities or adversely affect\nthe operation of the system, NIST recommends that organizations adopt a well-defined\nconfiguration management process that includes testing and approval of the changes.\n\nSpecifically, NIST SP 800-53 Revision 3, Recommended Security Controls for Federal\nInformation Systems and Organizations, CM-3, provides the following characteristics of a well-\ndefined change control process:\n\n       (1) The organization:\n           a) Determines the types of changes to the information system that were\n                configuration controlled;\n           b) Approves configuration-controlled changes to the system with explicit\n                consideration for security impact analyses;\n           c) Documents approved configuration-controlled changes to the system;\n           d) Retains and reviews records of configuration-controlled changes to the system;\n           e) \t Audits activities associated with configuration-controlled changes to the system;\n                and\n           f) \t Coordinates and provides oversight for configuration change control activities\n                through the Change Control Board that convenes [frequency] [organization-\n                defined configuration change conditions].\n\n       (2) The organization tests, validates, and documents changes to the information system\n           before implementing the changes on the operational system.\n\nThe Smithsonian defined its configuration change control process in its Technical Standards\nand Guidelines as follows:\n\n       Moderate and High Impact systems must meet the following requirements:\n       The Unit\xe2\x80\x99s IT System Manager or Major System Sponsor must document and control\n       major changes to the Unit\xe2\x80\x99s major information system. The Technical Review Board\n       must approve significant changes, and the Change Control Board should be requested\n       to approve all changes in which the production system will be taken off-line. The Unit\xe2\x80\x99s IT\n       System Manager or Major System Sponsor may approve minor changes.\n\n       Configuration change control involves the systematic proposal, justification,\n       test/evaluation, review, and disposition of proposed changes. The Unit\xe2\x80\x99s IT System\n       Manager or Major System Sponsor must include emergency changes in the\n       configuration change control process.1\n\n1\n SI Technical Standards and Guidelines (TSG) IT-930-02 Security Controls Manual, Section\n3.5.3 Configuration Change Control (CM-3)\n\n                                                5\n\n\x0c                            REPORT ON FISCAL YEAR 2011\n\n                  Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                              Information Security Program \n\n\n\nThe lack of evidence that OCIO is ensuring changes are tested as part of the change control\nprocess could increase risks to system availability and integrity. OCIO\xe2\x80\x99s CCB needs to ensure\nadequate documentation of changes and approvals to the Smithsonian systems in order to\nprevent any unauthorized or inappropriate modification of the operating environment.\n\n\nRecommendation:\n\n\n    1. \tWe recommend that the Chief Information Officer (CIO) establish and implement\n        additional Change Control Board (CCB) procedures, which more clearly document the\n        types of changes that are required to undergo testing prior to being moved into the\n        production environment, or that the CCB would accept any residual risk.\n\n\nII. \t User Account Management Needs Improvement\n\nControls were not operating effectively to ensure that access to the Smithsonian\xe2\x80\x99s information\ntechnology resources was adequately controlled. Specifically, the process for documenting the\ntermination of access for employees and contractors was not properly followed and/or enforced.\nWe noted that the documentation for termination of access (i.e. the HEAT 2 ticket) was not\navailable for eight out of twenty-four separated employees and contractors. No evidence was\navailable to determine whether access was disabled or terminated promptly upon notification.\n\nTSG IT-930-02 \xe2\x80\x9cSecurity Control Manual\xe2\x80\x9d required that inactive accounts be disabled after 90\ndays. The Security Program Procedures IT-930-TN04, \xe2\x80\x9cDisabling and Deleting Dormant\nAccounts,\xe2\x80\x9d was out-of-date and was not in compliance with the overarching SI Security Policy.\nTN04 indicated that inactive accounts will be disabled after 30 days and needs to be updated to\nbe consistent with the Security Control Manual. According to the CIO, after we completed our\nfieldwork, OCIO published an update for IT-930-TN04 and began the process of updating IT-\n930-02 to address this issue.\n\nThe appropriate organization officials for the Art Collection Information System (ARTCIS)3 and\nthe Smithsonian Online Academic Appointment System (SOLAA) 4 were not submitting the\nproper access request forms. Hence, System Sponsors did not consistently enforce the access\nrequest process across all units.\n\nAccording to OCIO management, limited personnel resources have hindered timely updates to\nthe Smithsonian\xe2\x80\x99s Technical Notes on security. The Smithsonian\xe2\x80\x99s employee separation\nprocess was not always adhered to by appropriate organization officials. In addition, ARTCIS\n\n2\n  HEAT is a commercial helpdesk issue management software suite.\n3\n  ARTCIS is based on The Museum System (TMS) and serves the internal collections management\nneeds of ten of the Smithsonian\xe2\x80\x99s museums. ARTCIS provides the public with easy access to more than\n600,000 works of art.\n4\n  SOLAA is an automated system for processing internships, fellowships and other academic\nappointments. The mission of the SOLAA system is to provide one common portal and process to accept\nacademic appointment applications from the public and provide management of the applications by each\nunit.\n\n                                                 6\n\n\x0c                              REPORT ON FISCAL YEAR 2011\n\n                    Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                                Information Security Program \n\n\nand SOLAA System Sponsors need to implement the Smithsonian\xe2\x80\x99s formal access request\nprocedures.\n\nUser account management procedures are implemented to ensure that only authorized users\nhave access to an organization\xe2\x80\x99s resources. When an employee or contractor leaves an\norganization or no longer has a need to access an organization\xe2\x80\x99s resources, their access\nprivileges should be revoked. The Smithsonian\xe2\x80\x99s Technical Standards and Guidelines assign\nresponsibility for user account management to system administrators. System administrators\nare responsible for:\n\n      \xef\x82\xb7\t reviewing accounts once every 30 days to identify accounts that have been inactive for\n         90 days;\n      \xef\x82\xb7\t disabling accounts that have been inactive for 90 days;\n      \xef\x82\xb7\t notifying their unit manager that the account has been disabled;\n      \xef\x82\xb7\t deleting after another 90 days (for a total of 180 days of inactivity). 5\n\nTechnical Note, IT-960-TN-12, \xe2\x80\x9cActive Directory Account and Password Requests,\xe2\x80\x9d dated\nSeptember 18, 2007, states: In order to adhere to the procedures in this technical note, all IT\nsupport staff that provision and maintain Active Directory accounts must use OCIO\xe2\x80\x99s supported\nHEAT system.\n\nTerminated employees or contractors may retain access and transferred employees may have\naccess to resources to which they are not entitled. Inadequate user account management\nprocedures exposes the Smithsonian\xe2\x80\x99s IT resources to potential unauthorized access, data loss,\nand data manipulation.\n\nIn his response to this report, the CIO stated that OCIO has implemented improvements in the\nexit clearance process to ensure separated employee and contractor access to the Smithsonian\nnetwork is terminated according to existing policies.\n\nRecommendations:\n\nTo strengthen user account management, we recommend that the Chief Information Officer:\n\n      2. \t Ensure that Technical Note, IT-930-TN04, Disabling and Deleting Dormant Accounts\xe2\x80\x9d\n           aligns with TSG IT-930-02, Security Controls Manual.\n\n      3. E\n         \t nforce the termination process for employees and contractors leaving the\n         Smithsonian and ensure that the OCIO Help Desk removes separated employees and\n         contractors\xe2\x80\x99 access to SINet in accordance with Smithsonian policies and procedures.\n\n\nWe recommend that the Systems Sponsor for ARTCIS:\n\n      4. \tDevelop and implement formal access request procedures to ensure that access is\n          properly documented and approved to adequately enforce the principle of \xe2\x80\x9cleast\n          privilege\xe2\x80\x9d.\n\n5\n    IT-930-02, Security Controls Manual, version 3.5, Dormant Accounts.\n\n                                                7\n\n\x0c                               REPORT ON FISCAL YEAR 2011\n\n                     Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                                 Information Security Program \n\n\n\nWe recommend that the Systems Sponsor for SOLAA:\n\n      5. \tDevelop and implement formal access request procedures to ensure that access is\n          properly documented and approved to adequately enforce the principle of \xe2\x80\x9cleast\n          privilege\xe2\x80\x9d.\n\n\nIII. Smithsonian Units Are not Consistently Submitting Quarterly Monitoring and POA&M\n     Reports\n\nManagement controls were not operating effectively to ensure all of the major system points of\ncontact were providing periodic monitoring and POA&M reports to OCIO and that reasonable\nremediation dates were being met for resolving and/or correcting security weaknesses.\n\nAccording to NIST, organizations demonstrate adequate due diligence by continuously\nmonitoring security controls to ensure that they continue to be effective in light of changes to\ninformation systems and their operating environment that inevitably occur. OCIO has a\nmonitoring process that tracks POA&Ms and compliance reporting. 6 Several information\nsystems\xe2\x80\x99 Points of Contact did not consistently provide evidence of quarterly monitoring reports7\nto OCIO. Also, we noted several instances where POA&M remediation dates were delayed.\n\nAccording to OCIO, limited system resources have delayed the correction and resolution of\nPOA&Ms.\n\nThe Smithsonian has defined continuous monitoring activities in its Technical Standards and\nGuidelines:\n\n          Continuous monitoring activities include configuration management and controls of\n          information system components, security impact analyses of changes to the system,\n          ongoing assessment of security controls, and status reporting. The Smithsonian has\n          established as a baseline a minimum selection of items for control monitoring. Each AIS\n          or Unit may also select additional subsets of the security controls for purposes of\n          continuous monitoring. Reports that are required for baseline monitoring are found in\n          Appendix D.8\n\nThe Smithsonian has assigned responsibility for implementing POA&Ms to correct weaknesses\nin its IT systems in the following technical note:\n\n          The Unit Director is responsible for ensuring that an individual is assigned to manage\n          applicable program POA&Ms for their unit and that the assigned person is responsible\n          for ensuring planned tasks are completed.\n\n\n\n\n6\n    NIST Special Publication 800-37, Appendix G. \n\n7\n The quarterly reports are specified in Technical Notes TN02 and TN04. \n\n8\n SI Technical Standards and Guidelines (TSG) IT-930-02 Security Controls Manual, version \n\n3.5, dated February 2011, section 3.4.7 Continuous Monitoring (CA-7).\n\n\n                                                     8\n\n\x0c                              REPORT ON FISCAL YEAR 2011\n\n                    Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                                Information Security Program \n\n\n          The Unit IT Director or the OIG-designated recipient of the original report is responsible\n          for identifying evidence to justify closure of the program audit recommendation.9\n\nPreparing continuous monitoring reports helps to ensure that system sponsors effectively\nmanage their systems. POA&M reports help management to ensure that weaknesses in IT\nsystems are addressed in a timely manner. Without these reports, OCIO cannot ensure that\nsystem sponsors are following the Smithsonian policies and managing their systems\neffectively.\n\nRecommendations:\n\nTo enforce the OCIO\xe2\x80\x99s requirements for quarterly reporting, we recommend that the CIO:\n\n      6. \t Ensure that continuous monitoring of major systems is operating effectively, and that\n           the major system POCs, provide reports on quarterly monitoring and reporting to the\n           OCIO Security Program on account management activities and audit log reviews.\n\n      7. \tEnsure the major system POCs provide quarterly POA&M progress updates to the\n          OCIO Security Program, and notify the CIO and Unit Directors when the system or\n          program POA&M scheduled completion dates are not being met.\n\n\nIV. Patch Management / Flaw Remediation Controls need to be Strengthened for Servers\n    and Desktop Workstations\n\nControls were not operating effectively to ensure that security patches were implemented on\nSmithsonian computers (Servers and desktop workstations) in a timely manner.\n\nFrom a targeted sample of 110 desktop workstations, we successfully tested 71 terminals to\ndetermine the version of the installed software. Some of these workstations were using outdated\nsoftware that may no longer be supported by the vendor, or for which security updates may no\nlonger be available. Approximately 70% of the targets tested were using Java versions from\nDecember 2008; 18% were missing Adobe product updates from 2010; 8% were missing\nMicrosoft patches from 2009, 2010 and 2011 and approximately 60% of the target computers\nwere missing QuickTime patches.\n\nTherefore, software that was part of the installed OCIO desktop standard software inventory on\nthe Smithsonian\xe2\x80\x99s computer systems was not consistently being patched for security issues on\na timely basis.\n\nIn addition, there was several 3rd party products (Firefox, iTunes, Safari, and RealPlayer) which\nappear on less than 10% of the tested sample, that were missing patches more than 6 months\nold.\n\nOne of the most frequent reasons hackers are able to gain access to systems is when they are\nnot patched with security updates. The Smithsonian has established patch management\npolicies and procedures through its Technical Standards and Guidelines and Technical Notes.\n\n\n9\n    SI Technical Note, IT-930-TN29, IT Security Plans of Actions and Milestones\n\n                                                  9\n\n\x0c                           REPORT ON FISCAL YEAR 2011\n\n                 Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                             Information Security Program \n\n\n\nSI Technical Note, IT-960-TN02 Patch and Update Management of Desktop Computers states\nthat it \xe2\x80\x9cestablishes the procedures for evaluating and implementing patches and service packs\nfrom Microsoft and updates from Apple for desktop computers.\xe2\x80\x9d This technical note further\nstates that \xe2\x80\x9cTimely implementation of vendor fixes is critical to ensuring that the Smithsonian\ncomputers, servers and desktop workstations remain secure and function optimally.\xe2\x80\x9d\n\nSI Technical Standards and Guidelines, IT-930-02, Security Controls Manual, 3.17.2 Flaw\nRemediation (SI-2), states that:\n\n       IT-960-TN02, Patch and Service Pack Implementation for Desktop PCs outlines\n       requirements for applying patches. The system administrator will schedule the\n       application of the patch with the Change Control Board and adhere to the standard user\n       notification requirements outlined in the Technical Note.\n\n       IT-930-TN08, Implementing Vendor Software Patches/Fixes details the procedures on\n       implementing vendor software patches and fixes on desktop systems.\n\n       NIST has a vulnerability database available at http://nvd.nist.gov where it is possible to\n       check on known software product vulnerabilities.\n\nModerate and High Impact systems must meet the following requirements:\n\n       The organization employs automated systems to determine the status of flaw\n       remediation.\n\nThe conditions noted above can result in server and desktop workstations being unprotected\nagainst actively exploited vulnerabilities. These vulnerabilities expose the Smithsonian\xe2\x80\x99s\ncomputer assets, operating systems, applications and data to unauthorized access, data loss,\ndata manipulation and a reduction of system availability.\n\nRecommendations:\n\nTo strengthen patch management and flaw remediation controls, we recommend that the CIO:\n\n   8. \tImprove the current server and standard desktop workstation procedures to identify\n       any required operating system (OS) or application security patches.\n\n   9. \t Test and provide patch updates for the Smithsonian\xe2\x80\x99s standard desktop workstation\n        software inventory within 30 days for vendor identified critical security patches and 60\n        days for vendor identified high risk security patches following the release of the patch.\n\n\n\n\n                                               10 \n\n\x0c                                              REPORT ON FISCAL YEAR 2011\n\n                                    Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                                                Information Security Program \n\n\nSTATUS OF PRIOR YEARS FINDINGS AND RECOMMENDATIONS\n\nThe following table represents the current status of the prior years\xe2\x80\x99 information security system and program recommendations, 12\nrecommendations remain open and 17 recommendations were closed in FY 2011:\n\n             Report                Date Issued                               Recommendation                                 Current Status\n     FY 2006 FISMA Reviews\nThe Smithsonian Institution's                                                                                                Target date\n                                                 Establish procedures to ensure existing policies requiring the use of\nInformation Security Program        4/20/2007                                                                                 revised to\n                                                 standard baselines are implemented and enforced.\nA-06-05                                                                                                                       9/15/2012\nSmithsonian Institution Network                  Enforce separation of duty controls noted in the SINet system security\n(SINet) Audit                       8/10/2007    plan and specifically segregate system administration roles from              Closed\nA-06-07                                          security roles.\n    FY 2007 FISMA Reviews\n                                                 Identify, document, and implement segregation of duty controls for\nHuman Resources Management\n                                                 sensitive administrative and system support functions. Management\nSystem                              9/19/2007                                                                                  Closed\n                                                 should document in the system security plan those activities that need\nA-07-06\n                                                 to be segregated.\n                                                 Enforce Institution policy and procedures requiring the weekly review of\n                                                 logs and monthly submission of appropriately detailed management              Closed\n                                                 reports to OCIO.\n                                                 Document final baselines for the HRMS operating system and database\n                                                 after determining what Institution-wide baselines will be adopted and\n                                                                                                                               Closed\n                                                 specifically note where suggested security settings have not been\n                                                 implemented for valid business purposes.\n                                                 Implement baselines for the various components of the system including\nID and Badging, C-CURE Central,\n                                                 all databases and operating systems. In addition, where suggested\nand Central Monitoring Systems      3/31/2008                                                                                  Closed\n                                                 security settings cannot be implemented for valid business purposes,\nA-07-07\n                                                 management should document their deviations from the baseline.\n                                                 Ensure that all major and minor systems are addressed in system\n                                                 security plans in accordance with OMB and NIST guidelines. OCIO\nThe Smithsonian Institution's                    should ensure controls over major and minor systems are identified,         Target date\nInformation Security Program        3/31/2008    documented, and implemented based on their impact on the                     revised to\nA-07-08                                          Smithsonian or sensitivity of data they process or store.                    9/15/2012\n\n\n\n                                                                 11 \n\n\x0c                                             REPORT ON FISCAL YEAR 2011\n\n                                   Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                                               Information Security Program \n\n\n             Report                Date Issued                              Recommendation                                  Current Status\n    FY 2008 FISMA Reviews\nSmithsonian Astrophysical\n                                                 OCIO needs to develop, document, and implement controls to ensure           Target date\nObservatory Scientific Computing\n                                   9/30/2008     Smithsonian policy is updated timely to include new IT requirements          revised to\nInfrastructure\n                                                 and disseminated to system sponsors and contractors.                         7/15/2012\nA-08-03\n                                                 Ensure system sponsors implement NIST, OMB, and Smithsonian\n                                                                                                                               Closed\n                                                 requirements within required timeframes.\n                                                 Logically segregate public-facing SAO Web sites from internal areas by\n                                                                                                                               Closed\n                                                 transferring or migrating these sites inside a DMZ.\n                                                 Comply with IT-960-TN16 and maintain individual server configuration\n                                                 documents for each server by system owner. In addition, fully document\n                                                 all instances where suggested security configurations are not followed,\n                                                                                                                               Closed\n                                                 due to technical limitations or valid business reasons, and this\n                                                 documentation should reflect management acceptance of associated\n                                                 risks.\n                                                 Comply with Smithsonian policy and enforce a 15-minute lock on all\n                                                 Solaris and Linux machines after exceeding the prescribed number of           Closed\n                                                 consecutive invalid access attempts.\n                                                 Implement session lock controls for Linux- and Solaris-based machines\n                                                                                                                               Closed\n                                                 that automatically activate after no more than 20 minutes of inactivity.\n                                                 Research tools that will enable automatic review of account activity for\n                                                 Solaris NIS. If such tools cannot be identified, management should\n                                                 document this deficiency in the risk assessment and system security\n                                                                                                                               Closed\n                                                 plan. In addition, if automated controls cannot be implemented, identify\n                                                 compensating controls that will reduce risks associated with not having\n                                                 automated account management controls.\n                                                 Adhere to Smithsonian policies and provide security awareness training\n                                                                                                                               Closed\n                                                 to all staff within 30 days of hire.\n                                                 Ensure that all individuals who have direct access to Institution\nNMNH EMu Application                             information system resources, including those without SINet accounts,\n                                   10/7/2008                                                                                   Closed\nA-08-04                                          sign the required rules of behavior forms and complete security\n                                                 awareness training.\n\n\n\n                                                                 12 \n\n\x0c                                               REPORT ON FISCAL YEAR 2011\n\n                                     Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                                                 Information Security Program \n\n\n              Report                 Date Issued                               Recommendation                                  Current Status\n                                                   Enforce Institution policy and procedures requiring submission of\n                                                   appropriately detailed management reports to OCIO based on the\n                                                   frequency described within Appendix E of Technical Standards &                 Closed\n                                                   Guidelines IT-930-02, IT Security Controls Manual, either monthly,\n                                                   quarterly or annually, depending on the reportable item.\nThe Smithsonian Institution's                      Ensure that general security awareness training is available and enforce\nInformation Security Program         3/17/2009     the requirement that all employees, contractors, volunteers, visiting          Closed\nA-08-09                                            scholars, and interns complete the training.\n                                                   Ensure the implementation of FDCC requirements across all domains at\n                                                                                                                                  Closed\n                                                   the Smithsonian and document any deviations.\n                                                                                                                                Target date\n                                                   Identify all of the Smithsonian\xe2\x80\x99s public websites that use e-\n                                                                                                                                 revised to\n                                                   authentication.\n                                                                                                                                 9/15/2012\n                                                                                                                                Target date\n                                                   Complete risk assessments for each public website that uses e-\n                                                                                                                                 revised to\n                                                   authentication, in accordance with OMB guidance.\n                                                                                                                                 9/15/2012\n                                                   Approve an Institution-wide initiative to develop, design, and implement\n                                                   a mechanism to track and monitor all employees, contractors,\n                                                   volunteers, visiting scholars, and interns, for compliance with general        Closed\n                                                   security awareness training, regardless of access to an Institution\n                                                   computer or network.\nFY 2009 FISMA Reviews\nFiscal Year 2009 Independent                       Re-assess the security categorization for major systems currently\nFISMA Audit Of The Smithsonian                     categorized as low-impact systems, based on the type of PII stored in\n                                                                                                                                Target date\nInstitution\xe2\x80\x99s Information Security   6/30/2010     the system. The systems should either be re-classified as moderate or\n                                                                                                                                10/15/2012\nProgram                                            the security categorization revised to include adequate justification for\nA-09-11                                            classifying the system as low.\n                                                   To further strengthen the interconnections process, ensure that all          Target date\n                                                   interconnections have signed agreements prior to execution.                   9/30/2012\n\nFY 2010 FISMA Reviews\n\nFISMA Evaluation Report                            Update SD 920 and other related documents to provide clear criteria for      Target date\n                                     3/15/2011\nA-10-01                                            designating systems for inclusion in the Smithsonian\xe2\x80\x99s FISMA inventory.       9/15/2012\n\n\n\n\n                                                                    13 \n\n\x0c                   REPORT ON FISCAL YEAR 2011\n\n         Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                     Information Security Program \n\n\nReport   Date Issued                                 Recommendation                                    Current Status\n                       Engage personnel with expertise and knowledge of Smithsonian                     Target date\n                       information systems and processes including representatives from the              9/15/2012\n                       Offices of the Undersecretaries and the Chief Information Officer, Unit\n                       and Museum Directors, and the Smithsonian Privacy Officer in\n                       reviewing the updates to the policies and documents and in the resulting\n                       modifications to the Smithsonian\xe2\x80\x99s FISMA inventory.\n                       Centrally document as part of its on-going risk management process the           Target date\n                       decisions by the Undersecretaries and the Unit managers to include or exclude     9/15/2012\n                       systems in the FISMA inventory.\n                       Update TSG 930-02 Security Controls Manual (PM-5) to reflect the approved        Target date\n                       management process.                                                               9/15/2012\n                       We recommend that SI implement controls to ensure that all SI-owned              Target date\n                       laptops/mobile devices that may be used to store sensitive information are        9/15/2012\n                       secured with an appropriate encryption technology.\n\n\n\n\n                                         14 \n\n\x0c                                                  REPORT ON FISCAL YEAR 2011\n\n                                        Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                                                    Information Security Program \n\n\n\nThe following table represents the current status of the prior years\xe2\x80\x99 privacy program recommendations, eight (8) open recommendations and one\n(1) closed recommendation in FY 2011:\n\n            Report                Date Issued                                 Recommendation                                  Current Status\n   Privacy Program Review\n                                                Develop, document, and implement privacy policies and procedures to\n                                                support an overall privacy program that adequately addresses privacy-\nSmithsonian Institution Privacy                                                                                             Target date revised\n                                                related risks. Additionally, privacy policies and procedures for websites\nProgram                           5/29/2009                                                                                   to March 2012\n                                                should include practices such as conducting risk assessments, requiring a\nA-08-08                                                                                                                          Delayed\n                                                link to Smithsonian privacy policy, and complying with Smithsonian and\n                                                federal website privacy requirements.\n                                                Develop and implement an annual privacy-training program and require all\n                                                                                                                                 Closed\n                                                Smithsonian employees and contractors to complete the training.\n                                                Develop, document, and implement a process for identifying and                 Target date\n                                                documenting PII used by the Smithsonian. This process should result in a        3/15/2012\n                                                detailed list describing PII by origin, use, format, and location.               Delayed\n                                                                                                                            Target date revised\n                                                Establish and implement requirements to reduce holdings of PII to the\n                                                                                                                               to March 2012\n                                                extent practicable.\n                                                                                                                                   Delayed\n                                                Develop, document, and implement procedures for conducting PIAs.                 Target date\n                                                Procedures for completing PIAs should address relevant Smithsonian                3/15/2012\n                                                requirements.                                                                      Delayed\n                                                                                                                            Target date revised\n                                                Post completed PIAs on the Smithsonian\xe2\x80\x99s public website.                      to August 2011\n                                                                                                                                   Delayed\n                                                                                                                            Target date revised\n                                                Develop, document, and implement policies and procedures for\n                                                                                                                               to March 2012\n                                                safeguarding documents containing PII.\n                                                                                                                                   Delayed\n\n\n\n\n                                                                       15 \n\n\x0c                        REPORT ON FISCAL YEAR 2011\n\n              Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                          Information Security Program \n\n\nReport   Date Issued                                Recommendation                                    Current Status\n\n                       Develop and implement procedures to enforce compliance with new and          Target date revised\n                       existing privacy policies related to the protection of sensitive documents     to March 2012.\n                       containing PII.                                                                   Delayed\n\n                       Ensure that privacy links for all Smithsonian web site entries have          Target date revised\n                       consistent content and style to ensure compliance with the                   to December 2011.\n                       Smithsonian\xe2\x80\x99s published web privacy policy and procedures.                        Delayed\n\n\n\n\n                                             16 \n\n\x0c                      REPORT ON FISCAL YEAR 2011\n\n            Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                        Information Security Program \n\n\n\nMANAGEMENT RESPONSE\n\n\n\n\n                                      17 \n\n\x0c                       REPORT ON FISCAL YEAR 2011\n\n             Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                         Information Security Program \n\n\nMANAGEMENT RESPONSE (CONTINUED)\n\n\n\n\n\n                                       18 \n\n\x0c                       REPORT ON FISCAL YEAR 2011\n\n             Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                         Information Security Program \n\n\nMANAGEMENT RESPONSE (CONTINUED)\n\n\n\n\n\n                                       19 \n\n\x0c                       REPORT ON FISCAL YEAR 2011\n\n             Independent Evaluation of the Smithsonian Institution\xe2\x80\x99s \n\n                         Information Security Program \n\n\n\nMANAGEMENT RESPONSE (CONTINUED)\n\n\n\n\n                                       20 \n\n\x0c"